Does mobile VPN with IKEv2 allow MFA with OTP?
Hello,
When I searched to implement MFA with Watchguard Mobile VPN I went trough these different steps:
1. MFA is only possible with AuthPoint which is a paid solution
2. MFA is possible without AuthPoint but only with IKEv2 which is better than SSL
3. And now I look for OTP hardware tokens and Watchguard Mobile VPN and I read that it works only with SSL VPN and not IKEv2 VPN...
I think that IKEv2 VPN is more secured and easier to deploy than SSL VPN. But I think that OTP MFA ou SMS code suites better my needs because it doesn't require a smartphone.
What do you think of this? It's just a question of need or there is a reason to say: if you want to use the VPN, by/use a smartphone?
Secondly, should one build two radius servers (one with the Azure MFA extension installed for IKEv2 push notifications MFA and one for SSL VPN with OTP) and keep both Mobile VPN available for users?
Because what I understand is that often organizations will have both users with Microsoft Authenticator and users without a smartphone and using a hardware token with OATH/OTP.
And last but not least. Can the same OTP hardware token be used for M365 MFA and Watchguard Mobile VPN? Isn't there a limitation that prevent the use of the same OTP token for different services?
Thank you in advance for your help.
Comments
I can't speak for the AuthPoint solution although if using the Azure MFA extensions to Windows NPS, the only supported method - as far as we've seen - is the "Notification" one.
ie. when a user connects through that RADIUS server, Azure MFA will send a notification to the user's mobile device that they need to accept before the connection continues.
Edit - I have this on a test firewall, but we do use that same RADIUS setup in production for a Remote Desktop Gateway (ie. I'm using the same RADIUS server).
Bearing in mind that the certificate configured for the mobile IKEv2 VPN endpoint has to be trusted in the first place, if you have an internal CA you can issue an appropriate certificate from there and install it such that only internal machines can connect in the first place - using Azure MFA might cause issues if the connection drops and reconnects, as the user has to know to accept the MFA prompt then.
(In one of our customer's cases, they had a rule if they denied the MFA prompt too many times it might raise an alert, as that can be a sign of a compromised password so keep that in mind too).
I mention the internal CA certificate as I had a feature request open to allow for user certificates to be an authentication mechanism (part of the MFA solution we were hoping to use), but apparently this only works with IPsec/IKEv1 which did not suit our setup (it had to be IKEv2 for the Windows AlwaysOn VPN setup).
Thanks for the input on IKEv2 VPN with Azure MFA.
Disconnects can trigger new MFA prompts, which is something to keep in mind. It’s also useful to be aware of denied prompts and monitor them.
Using IKEv2 with client certificates might be a simpler option. It feels like 2FA, but I’m not sure how it compares to TOTP or push-based MFA in terms of security.
If anyone has more info or thoughts on that, it’d be helpful.
I have an open case which resulted in a feature request ID FBX-7518 to use client certificates with the IKEv2 MUVPN endpoint (was requested by the team I work with that do Intune deployments as it was part of an AlwaysOn VPN setup and they felt it more secure since it's also passwordless).
As a side note, when a fellow admin configured the WiFi for a client to use the same RADIUS server (ie. the one with Azure MFA extensions), it caused enough noise to require a second RADIUS server for WiFi authentication that used a different method of authentication, if you think about how many reconnections WiFi can trigger.